Blog02: T&T — Passwords! TOO MANY OF THEM
Welcome back to our blog. Today we will be looking together at an issue that almost everyone deals with on a daily basis, the issue of password management.
By the end of this article, we will have gone through several methods and tools that help make sure our passwords are both strong and easy to manage. But before that, we will go through some reasons as to why is this even something to worry about.
First, some statistics
ITU estimates that approximately 5.3 billion people — or 66% of the world’s population — are using the internet in 2022. A 2018 report by Cybersecurity Ventures considers an average of as many as 25 passwords for each internet user. A 2022 report by LastPass showed that 62% of people surveyed always or mostly use the same password or a variation. NordPass’s Top 200 most common passwords list has “123456”, “1234567” and “12345” on the top 3.
You see where I’m going with this, we have a lot of passwords to take care of, and many people choose the easy way aka using easy passwords.
Now, I know that we don’t necessarily see the risk of using an easy password or re-using one. This table from Hive Systems should make it easier to see how dangerous it is to use a short and easy password.
I think after looking at the table we can all agree that an easy password is far from reliable. But what could stop us from choosing a strong password and using it everywhere?
Meet HaveIBeenPwned and Firefox Monitor
You must have heard about or seen news of data breaches in the past. One of the most famous data breaches in the history of Internet is the one that affected MySpace in 2013 when records of email addresses, usernames, and passwords of users of the website were leaked and sold on the Dark Web. If you have doubts on whether or not your name may figure on one of the many data breaches that happen each year, you should check these two websites:
All you need to do is put your email address or phone number and they will tell you if your data has ever been leaked as part of an attack.
You might be wondering, what does this have to do with the topic of this article?
The answer is quite simple, if we suppose that our data is not a 100% safe from breaches we cannot use the same password everywhere. Because if we do, a hacker’s access to one of our accounts will mean access to all of our accounts. Sounds scary? Let’s see how we can avoid that
Introducing: Password managers
What does a password manager do? Well, it manages passwords :)
In all seriousness, a password manager is a software or application that serves the main purpose of storing, generating and managing all of our passwords. Usually, password managers store the passwords in encrypted databases and lock them behind something called a master password. In most cases, even the providers of these services cannot access nor see the content of the passwords you store.
All you have to do then is choose a strong and complex master password and don’t forget it.
Here is a short list of some of the best password managers, including ones that I have tried myself:
- Dashlane: offers free and paid plans
- Bitwarden: open source and free to use
- LastPass: known to be the best but no free plans available
- NordPass: new to the market but very promising and competitive
- 1Password: offers the best plans for families and is recommended by HaveIBeenPwned
- and many more
Password managers can generate random and long passwords for any website that you sign into, and you wouldn’t even need to worry about remembering them because they are all saved safely.
All of the options I mentioned have one or more of these additional features: a desktop app, a mobile app, an addon or extension for your browser. And each will obviously have some special features specific to them.
Everything sounds safe and sound now, and we can be at ease now not worrying about our passwords anymore right? Wrong. Let me tell you why.
Remember when we said that if we use the same password everywhere, we give a hacker free reign on all of our accounts if they manage to find only one. Well, it is basically the same thing here. If a hacker manages to find our master password they can access all of our passwords from a single and convenient dashboard.
It seems like we are back to square one, fortunately no. There is a solution.
Ever heard of MFA ?
MFA stands for Multi-Factor Authentication, and in simple terms it means using more than one thing to log in.
In more technical terms, MFA relies on the use of two or more factors of different types to grant access to an asset. Factors are usually grouped into 4 categories: What you know, What you have, What you are and Where you are; with the 3 first categories being the most used for logins and access credentials. The image below sums this up nicely.
Now that we know what MFA is, what is the use of it?
Simply put, it is not easy to get ahold of multiple factors at once
A hacker may manage to find the master password(what you know) to your password manager database or vault. But it is going to be hard for them to find access to your phone(what you have) and even harder to your fingerprint or biometric data(what you are). And we can put this to good use.
In addition to using a password manager, it is highly recommended to use a 2FA application or hardware.
These tools work in protecting your passwords from being accessed even in the case where a hacker might find your master password.
And there a plenty of them, like literally
Just look up “MFA apps” on your trusty search engine.
So what do we need to remember?
- Please, stop using “123456” as a password
- Get over your skepticism and use a password manager
- Consider 2FA if you still have doubts
And most importantly, be cautious out there. It can never be a 100% safe on the internet and sometimes all we can do is keep good hope and cross our fingers.
In upcoming articles we will take a look at why, even with all these safety measures that we took, we can never be sure on the internet. So keep your eyes peeled for that.
Facebook: INSEC Ensias
Instagram: INSEC Ensias
Linkedin: INSEC Ensias
Youtube: INSEC Club
Don’t forget to drop us a follow on social media to stay up to date with everything the club is doing. Looking forward to sharing more knowledge with all the readers and we welcome your feedback at firstname.lastname@example.org